tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57736] New: changes from Tomcat 7 to Tomcat 8 causing problems
Date Sun, 22 Mar 2015 17:35:34 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57736

            Bug ID: 57736
           Summary: changes from Tomcat 7 to Tomcat 8 causing problems
           Product: Tomcat 8
           Version: 8.0.20
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: frank.holler@gmx.de

Our webapp is using bouncycastle security provider, which was packed within the
WEB-INF/lib folder.
Furthermore our webapp run within a tomcat environment, which uses
unpackWars="false".

This woked fine with Tomcat6 and Tomcat7. After switching to Tomcat8 we got an
exception:
Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
    at javax.crypto.Cipher.getInstance(Cipher.java:642)
    at javax.crypto.Cipher.getInstance(Cipher.java:580)
    at
de.balvi.xmljobs.job.domain.JobParameterType$PasswordJobParameterType.createCipher(JobParameterType.java:200)
    at
de.balvi.xmljobs.job.domain.JobParameterType$PasswordJobParameterType.toPersistent(JobParameterType.java:169)
    ... 96 more
Caused by: java.util.jar.JarException:
jar:file:/D:/Java_Bin/BALVI_TOMCAT/webapps/ROOT.war!/WEB-INF/lib/bcprov-jdk15on-1.51.jar
has unsigned entries - WEB-INF/css/bootstrap-responsive.min.css
    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:462)
    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:161)
    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:187)
    at javax.crypto.Cipher.getInstance(Cipher.java:638)
    at javax.crypto.Cipher.getInstance(Cipher.java:580)
    at
de.balvi.xmljobs.job.domain.JobParameterType$PasswordJobParameterType.createCipher(JobParameterType.java:200)

The exception "java.util.jar.JarException:
jar:file:/D:/Java_Bin/BALVI_TOMCAT/webapps/ROOT.war!/WEB-INF/lib/bcprov-jdk15on-1.51.jar
has unsigned entries - WEB-INF/css/bootstrap-responsive.min.css"
states to an entry of the WAR itself instead of an entry of the
bcprov-jdk150-1.51.jar.

Extract from
JobParameterType$PasswordJobParameterType.createCipher(JobParameterType.java:200)
states to

       private Cipher createCipher(int encryptMode) throws
NoSuchAlgorithmException, NoSuchProviderException,
                NoSuchPaddingException, InvalidKeyException,
InvalidAlgorithmParameterException {
            // Register BouncyCastleProvider
            Security.addProvider(new BouncyCastleProvider());
            // Create the IV Key
            AlgorithmParameterSpec IVspec = new IvParameterSpec(getIV128Key());

            // Create the Cipher für Decrypting
            Cipher encryptCipher = Cipher.getInstance("AES/CBC/PKCS5Padding",
"BC");  // <== line 200
            SecretKey keyValue = new SecretKeySpec(getAES128Key(), "AES");
            encryptCipher.init(encryptMode, keyValue, IVspec);

            return encryptCipher;
        }

As workaround, i removed the bouncycastle provider from the WEB-INF/lib and put
it to CATALINA_BASE/lib.

A second problem occured, when a uri resource is loaded from a jar inside a
unpacked war:
com.mycila.xmltool.XMLDocumentException: Validation failed: Illegal character
in opaque part at index 55:
jar:war:file:/D:/Java_Bin/BALVI_TOMCAT/webapps/ROOT.war^/WEB-INF/lib/xmljobs-1.1.1.jar!/xmljobs/groovy-flow-1.0.xsd

The RFC 2396 "URI Generic Syntax" says, the char ^ is an "unwise" uri char,
which causes a java.net.URISyntaxException in our environment.

As workaround, we changed the resource loader to return a Stream instead of the
uri string. 

Both problems are reproducable with any java platform. (Tried Java 7/8 on
Windows X86_64, Linux X86_64) with Tomcat 8. Tomcat 7 has no problem.

Please check the changes form 7 to 8.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message